Why API Threat Hunting is Now Essential
One lesson that many security teams have learned the hard way is that waiting for security incidents to be detected before taking action is no longer good enough. Whether they’ve been affected by targeted attacks, blindsided by global incidents like Log4Shell, or both, many organizations now recognize that proactive threat hunting capabilities are no longer optional.
Threat hunting efforts should obviously encompass risks to enterprise networks, cloud instances, endpoints, servers, and other foundational IT infrastructure. But it’s critical to consider all potential attack vectors, particularly those that can provide access to sensitive assets without compromising a specific IT network or system.
APIs are a perfect example. APIs provide direct access to data, functionality, and workflows that are an organization’s digital crown jewels. And while baseline perimeter security measures are widely used to protect applications, API abuse and other types of attacks are on the rise. In fact, some of the highest-profile security incidents to hit the headlines in recent years have been API-related.
Through a series of four blog posts, we’ll dive into some concrete examples of how APIs are attacked and provide some actionable recommendations as you consider ways to extend threat hunting to your APIs.
In this first post, we’ll start by:
- Reviewing some foundational API definitions and concepts
- Exploring some of the technology shifts that now make API threat hunting a must
In later posts, we’ll share some real-world examples of how organizations of all sizes are being affected by API vulnerabilities and provide some specific recommendations for getting started with API threat hunting.
The basics of APIs and endpoints
APIs are used for many purposes, ranging from business-to-consumer (B2C) functionality, business-to-business (B2B) collaboration and integration, and internal development and integration functions. Web APIs, which communicate over the same HTTP protocol used by web browsers, are the most common implementation model. The specific functionality these APIs provide may also sometimes be referred to as services or API products.
When thinking about API security, it’s also important to understand the concept of an endpoint. While this term is sometimes used to refer to end-user computing devices, it has a different meaning in the context of APIs. You can think of an API endpoint as a single accessible resource that is part of the API, along with the operation that can be performed on it.
Here’s a simple example. An API endpoint that returns order information for a specific company might be represented as: GET /orders/{orderID}.
In this case, GET is a specific HTTP method, and orders and orderID represent the particular resource being requested through the API.
Why is API threat hunting now a requirement?
Many businesses now operate in a near-continuous state of digital transformation. Fast-moving DevOps practices are introducing continuous change, and new types of application stacks and digital functionality are now often scattered across many different locations in the public cloud.
This shift is unfolding faster than API management and security tools can keep up. For example, Gartner predicts that:
By 2025, less than 50% of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools.
This is changing the battleground when it comes to cybersecurity. According to data from Akamai, 83 percent of all web traffic is API activity. So increasing traffic on APIs leads to downstream effects like increasing attacks and abuse. Meanwhile, many security teams are stuck in catch-up mode. APIs just keep multiplying, while existing application security tools offer minimal API protection.
In the past, an attacker might set their sights on breaching an enterprise data center to access and exfiltrate an organization’s digital crown jewels from a specific server. Or, they might attempt to inspect enterprise network traffic to capture sensitive data. In these scenarios, proactive threat hunting might center on activities like penetration testing to cut off threat actors’ possible points of entry.
In an API-enabled world, this dynamic is different. For an explanation of how, check out this short clip from our recent webinar, “API Threat Hunting: Anatomy of an API Attack.”
Click here to watch the complete webinar replay.
Many APIs are inherently accessible to anyone in the outside world, with credentials and keys sometimes acting as the only line of defense. And threat actors are increasingly adept at compromising these elements. In addition, some of the most damaging types of API abuse can originate from parties who have been granted access to APIs but choose to use them in unsanctioned ways.
Consider this additional data point from Gartner:
Through 2025, at least 70% of organizations will deploy specialized runtime protection only for the public-facing APIs they produce, leaving other APIs unmonitored and lacking API protection.
As large amounts of API activity occur between internal and partner entities, this represents a significant gap in protection.
Further complicating matters is the fact that even where API security frameworks exist, such as the OWASP API Top 10 list of known vulnerability types, connecting the dots between abstract risks and specific API implementation details in a particular environment isn’t easy.
We’ll illustrate this point in future posts with some real-world examples of how organizations have been affected by novel instances of well-known vulnerability types.
Stay tuned for the next article in this threat hunting series.
*** This is a Security Bloggers Network syndicated blog from Blog authored by Tal Leibovich. Read the original post at: https://www.neosec.com/blog/why-api-threat-hunting-is-now-essential
